How to Disable IPv6 in Fedora and CentOS

They say that by disabling IPv6 things get a bit smoother and faster regarding networking. I don’t really know if this is true, but I guess, if you’ve decided to disable this feature, you probably care to do it the Right Way™. As far as I know, trying to disable IPv6 through anaconda during the installation of Fedora or CentOS does not turn off the IPv6 functionality completely, but it just disables it for the configured network interface. This is not actually a problem, but, why should this network layer be enabled system-wide, if you do not use it at all? This small article assists you in disabling IPv6 in the latest Fedora and CentOS releases in an aggressive and unforgiving way.

Check if the module is loaded

IPv6 functionality is being made available to the system by the ipv6 kernel module. To check if this module is currently loaded in your system, issue the following command as root:

lsmod | grep ipv6

If you see ipv6 in its output, then the module is loaded.

Performing this check is absolutely not necessary. It is included in this article for completeness.

Disable IPv6

You can prevent a module from being inserted into the kernel by either blacklisting it or by completely disabling it.

In this case, since you will most probably turn off the IPv6 firewall (ip6tables) as well, it is highly recommended to completely disable the ipv6 module, to avoid any accidental loading of the IPv6 stack without any firewall protection at the same time.

How the module blacklist works

This information about blacklisting a kernel module exists here for educational purposes. It has been mentioned above that for ipv6 it is important to completely disable it.

From the modprobe.conf man page:

Modules can contain their own aliases: usually these are aliases describing the devices they support, such as “pci:123…”. These “internal” aliases can be overridden by normal “alias” keywords, but there are cases where two or more modules both support the same devices, or a module invalidly claims to support a device: the blacklist keyword indicates that all of that particular module’s internal aliases are to be ignored.

So, blacklist indicates that a module’s aliases should be ignored. But, what happens if an application requires to load that specific module or if root uses modprobe to load it on demand? Let’s test it…

To blacklist the module, simply save the following line in a file inside /etc/modprobe.d:

blacklist ipv6

Next, disable any services that use IPv6, eg ip6tables or any IPv6-enabled network interfaces and reboot (mandatory).

After you’ve logged-in again, try, for example, to load the ipv6 module with the modprobe command (as root):

[root@centos]# modprobe -v ipv6
insmod /lib/modules/2.6.18-53.1.14.el5/kernel/net/ipv6/ipv6.ko
[root@centos]# lsmod | grep v6
ipv6                  251393  8

The blacklisted module has been loaded. This is what happens if it is needed by a system service, regardless of the fact that it has been blacklisted. In the case of ipv6 this could be a security risk, provided that the ipv6 firewall has been turned off but some network interfaces still use IPv6. So, frankly, it is suggested to read on how to disable the module more aggressively…

Completely disable the ipv6 module

To completely disable IPv6 in your system, all you have to do is save the following line in a file inside /etc/modprobe.d/.

install ipv6 /bin/true

The above line means: whenever the system needs to load the ipv6 kernel module, it is forced to execute the command true instead of actually loading the module. Since /bin/true, does absolutely nothing, the module never gets loaded.

Again, it is required to reboot for the changes to take effect.

It is obvious that this is an aggressive method to disable kernel modules, but it guarantees that the module never gets loaded.

This is the recommended way to disable IPv6.

Other Configuration Tasks

Since the IPv6 functionality has been disabled, you can disable the ip6tables service (IPv6 Firewall). Issue the following command as root:

chkconfig ip6tables off

It is also a good idea, since the ip6tables service has been turned off, to disable any IPv6-related functionality in the network interface configuration. Even if you do not do this, the IPv6 stack will not be initialized because the ipv6 module cannot be loaded. But, generally, you could set the following options to “no” inside your network interface scripts, for example: /etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=no
IPV6_AUTOCONF=no

Finally, In fedora 8 or newer you can safely remove the following option from the /etc/sysconfig/network file, if it exists:

NETWORKING_IPV6=no

Final Thoughts

Using the instructions above, you can completely disable IPv6 in your system. On the other hand, you should understand that IPv6 is not an evil thing… It exists in order to address certain issues. If you ever think about actually trying to configure and use it instead of just disabling it every time you install your Linux operating system, here is a good place to start

How to Disable IPv6 in Fedora and CentOS by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2008 - Some Rights Reserved

About George Notaras

George Notaras is the editor of G-Loaded Journal, a technical blog about Free and Open-Source Software. George is a GNU/Linux enthusiast, a self-taught programmer and system administrator. He strongly believes that "knowledge is power" and has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora and spends some of his spare time developing open-source software. Follow George on Twitter: @gnotaras

30 responses on “How to Disable IPv6 in Fedora and CentOS

  1. nikosx Permalink →

    or
    You can disable IPv6 support in the installation program using the boot option noipv6. The installation program does not configure network interfaces for IPv6 if you use this option.

    Some user are unlucky to own dsl routers that does not support ipv6. In this case they can get an internet connection only if disabe ipv6. It is a confusing situation even for experienced users…
    https://bugzilla.redhat.com/show_bug.cgi?id=426889

  2. Martin Levy Permalink →

    Of course I really wonder why you would ever do this. Will the box be faster? I doubt it. There is so much more that could be disabled or removed in order to speed up a CentOS 5.? or Fedora 8 box. Removing printing, mDNS, excess usb listeners on servers, etc. etc. would also help; however IPv6 can be disabled with one and only one line within the config files.

    $ egrep NETWORKING_IPV6 /etc/sysconfig/network
    NETWORKING_IPV6=no
    $

    All the rest is somewhat redundant; as the module code will not be touched if you don’t enable IPv6 networking.

    However; Isn’t that just a step backwards? Why not embrace IPv6? Why not enable it on the network (assuming your hosting company or ISP provides IPv6)? Why not setup an IPv6 tunnel – which only takes 5 mins and use IPv6? After all; within a few years; that will be the norm and if you start understanding it now, then you will be well ahead of the crowd!

    BTW: Yes, I work for an IPv6 capable ISP called Hurricane Electric and datacenter company that also runs a Tunnel Broker service for non-IPv6 enabled sites. This makes me very biased towards IPv6!

    Enjoy,

    Martin

  3. George Notaras Post authorPermalink →

    @nikosx & @Martin:

    Hi,
    After a web search about how IPv6 can be disabled, I noticed that too many people rely on just blacklisting kernel modules, while what they actually want is to completely prevent a module from loading, even if it is mandatory for a system service in order to function. So, I decided to write these notes about using the alternative, but more guaranteed, method:

    install <module_name> /bin/true

    As I have written above, I do not know if there are any benefits by disabling IPv6.

    Nikos, The kernel option is useful, but it does not disable the module completely. I was not aware of the problem with the modems. Thanks for the info.

    Martin, I am not against IPv6… I just never spent any time to learn how to configure it! IPv6 exists to resolve some problems. It’s not ecil. :)

    BTW, the:

    NETWORKING_IPV6=no

    is not used in Fedora 8 or newer. I should clarify it better in the article.

    Thanks for your feedback :)

  4. Kiall Mac Innes Permalink →

    I’ve had many people ask about this – and even had trouble actually disabling IPv6 myself on occasion! Suffice to say this article has been bookmarked! And I agree completely that IPv6 is not evil, that IPv6 is a necessary evolution for the internet to survive… I just wish so many routers didnt cause havoc when they see IPv6!

    I’ve even had one model of router crash when a Linux IPv6 PC is attached to it… every time without fail! (a few year old Netopia modem router)

    Kiall

  5. Chuck Permalink →

    “This is not actually a problem”

    It is a problem.

    Services (eg, httpd) will still listen happily on ipv6 whenever ipv6 is enabled @ the kernel layer. If you see

    # lsmod | grep ipv6
    ipv6…

    …. then expect to see

    # netstat -tln | grep someService
    someService 0 0 :::somePort

    This has many repercussions. For instance, I spent 2 hours getting monit (should be “15 minutes”) running. Why? Because apache wasn’t hard config’d (via httpd.conf) to listen on 1.2.3.4:80 (or whatever). So it was listening on :::80.

    And let’s not even talk about DNS.

    Shoving ipv6 up down our throats is yet another reason why admins hate working on RH* boxes. The “gotta reboot” factor (go ahead and *TRY* to rmmod ipv6) is really great when there are dozens of boxes in production at a colo 40 miles away.

    re this:

    “however IPv6 can be disabled with one and only one line within the config files.

    $ egrep NETWORKING_IPV6 /etc/sysconfig/network
    NETWORKING_IPV6=no

    BZZZT. WRONG. Does not work. Somewhere in the labyrinthine and opaque RH startup scripts, the module is still getting loaded (I’ve put 2 hours into tracking it so far w/no luck). Or maybe it’s grub. rc.sysinit. Who knows? But this “simple” fix fixes nothing and leaves the module in place. With the previously described consequences.

    Finally, note that the “blacklist” keyword is N/A on older versions of modprobe.conf.

  6. Chuck Permalink →

    Oh and…

    why not execute /bin/false rather than true? This way scripts checking the retval of an insert should get a “false” rather than a “true”. Right? Unless you want things running that are actually broken…

  7. George Notaras Post authorPermalink →

    @Kiall Mac Innes: Thanks for your feedback.

    @Chuck: I know these issues with the various services (httpd, named) and IPv6 and I agree with you. Regarding the use of /bin/false instead of /bin/true in modprobe.conf, I think you have a strong point.But, on the other hand I am not sure if the exit code of the (/bin/true or /bin/false) is actually returned to the application which required to load the module. This will need some investigation. Thanks for your feedback.

  8. Chuck Permalink →

    Hi George,

    First thanks for this article, it’s been a great help.

    As to /bin/{true,false}, I’ve been deploying using ‘false’. I’m seeing this show up in my logs (/var/log/messages on CentOS):

    modprobe: FATAL: Error running install command for ipv6

    So the exit status is germaine to modprobe, though this isn’t breaking anything that I can see, “FATAL” being perhaps a bit of an overstatement :’)

    I’ve put quite some effort into running down who is still trying to push this thing. Even a simple minimalist dev box here that is only running ssh is still doing it (and sshd_config is specifically listening on 0.0.0.0 so ipv6 shouldn’t be coming up in that context). I’m to the point where I’d have to strace every single proc on the system and I’m afraid that won’t happen anytime soon. :’)

    BTW for the record I’ve nothing against ipv6. But I’m in a production environment with a lot of boxes of varying pedigrees, and ipv6 is not ok, especially due to the netfilter ramifications and as pointed out interaction with older routers and switches. It’s all about entropy reduction; we don’t use what we don’t need.

    Thanks again.

  9. George Notaras Post authorPermalink →

    Hi Chuck,

    I personally thank you for taking the time to investigate the use of /bin/false in the install statement. Regarding sshd, maybe you should also try starting sshd with the -4 command line option. This will force the server to use ipv4 only. I have not tried it myself though…

    I also agree with the entropy reduction. I am not in a production environment, but I always try to use just what I need. It is a time saver when things go wrong and you have to find out what has caused the problems.

    Thanks

  10. G-man Permalink →

    There is only one thing you need do – put the next two lines in modprobe.conf (or modules.conf, depending on your implementation one or the other will be present):

    alias net-pf-10 off
    alias ipv6 off

    These two lines, especially the first one, instruct the kernel to disable the ipv6 net code. This will completely disable ipv6 on the system. All the other options listed so far will be completely ignored by the respective modules/programs if you simply use the two lines above.

  11. Brian K. Jones Permalink →

    FWIW, I have been using the method described by G-man since the whole v6 networking issue arose around Fedora Core…. ummm… 4? 6 maybe? And it has always worked just fine for me. If there’s some drawback to using that as opposed to the methods described in the article, I’d like to hear it.

  12. Petr Schejbal Permalink →

    Hello. My Asus modem doesn’t support ipv6 also. It works without problems in Windows XP and Vista. It’s possible in Linux to use ipv6 and then after failure try ipv4? I mean intelligent communication between OS and hardware included in Linux.

  13. George Notaras Post authorPermalink →

    So far, I haven’t noticed any form of intelligent communication between the hardware and any OS. :-) I do not know if what you ask is possible, but, if it is, then I assume it will only happen after some manual configuration.

  14. Adrian Permalink →

    My trouble is that using ipv6 renders DNS resolve incredibly slow. Strace shows the DNS request is sent both ipv4 and ipv6. Ipv4 returns immediately, while ipv6 times out, eventually. Waiting for this timeout on EACH DNS request is killing.

  15. Adrian Permalink →

    Naturally, my above statement is incomplete. The new api ‘getaddrinfo’ seems to involve both ipv6 and ipv4. The old api ‘gethostbyname’ only hits ipv4. So, applications that use the new api will incur a timeout, even if ipv6 is disabled in the kernel and throughout the system. I guess glibc should be smarter about it and not hit the ip6 stack if it is disabled. Alas, ip6 is the future, so it is starting to assert itself. I wonder why (at least in my case) do I get that stupid timeout on ipv6. Maybe because I have an old firewall/router between my box and the DNS server, firewall that only understands ipv6…

  16. George Notaras Post authorPermalink →

    Hi Adrian, I haven’t spent much time with the ipv6 internals. Actually, I have never bothered to set it up. I intend to do so though as soon as I can find some spare time. Thanks for your feedback.

  17. bharath vn Permalink →

    DISABLE IPV6 IN UBUNTU 9.10
    gksu gedit /etc/default/grub

    CHANGE THIS LINE:
    GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash”

    TO
    GRUB_CMDLINE_LINUX_DEFAULT=”ipv6.disable=1 quiet splash”

    THEN UPDATE GRUB:
    sudo update-grub

    TO TEST WITH TERMINAL:
    ip a | grep inet6

  18. George Notaras Post authorPermalink →

    @bharath: Thanks for your feedback.

    Does this method prevent the ipv6 module from loading entirely, even if an application requires it?

  19. Lars Bailey Permalink →

    Some nice info on IPv6.
    If you do not want IPv6 at this time,without jumping through hoops;
    for RedHat/CentOS,add this to /etc/sysconfig/network.

    NOZEROCONF=yes

    This diables link-local on all interfaces.
    If you decide to transition to IPv6,remove the directive,and your PC is still IPv6 ready.

    1. George Notaras Post authorPermalink →

      Paul, thanks for your feedback.

      Seems like a very clean way to disabe IPv6 functionality. Time permitting I’ll do some research about it and update the article accordingly. However, I’m quite certain that the net.ipv6.conf.all.disable_ipv6 key was not there at the time I wrote this post.

  20. Mark S Permalink →

    In Fedora 17, I tried a lot of what is listed here. So far, none of these actions disables IPv6:

    “install ipv6 /bin/false” in /etc/modprobe.d

    “NETWORKING_IPV6=no” in /etc/sysconfig/network

    “ipv6.disable=1″ and update-grub (update-grub: command not foud)

    “NOZEROCONF=yes”

    The only think I found that works is to enter the command sequence:

    ifconfig em1 inet6 down
    ifconfig em1 up

    to take down the interface and clear the ipv6 address, then bring up the interface with the ipv4 address that was already assigned.

    Unfortunately, this DOES NOT prevent application software from explicitly asking for the AAAA record, so I still have to wait for the AAAA lookup to fail on every outgoing connection.

    I know the IPv6 advocates have a point, but my DSL router DOES NOT work with IPv6, so no matter how dogmatic you get, I still can’t use it. This is one way that MS Windows is superior to Linux: If your network is only capable of IPv4, the computer does not waste time trying to use IPv6.

  21. Rodrigo Permalink →

    as root :

    #sysctl net.ipv6.conf.all.disable_ipv6=1

    check with ifconfig command.

    You can make it persistent by editing sysctl.conf

  22. Luciano Permalink →

    A dica do Rodrigo aí em cima foi a mais acertada de todas.

    Estava há horas procurando na web e nada que encontrei dava certo. Aquelas linhas inseridas no /etc/sysconfig/network e nas confs das ifaces também nada.

    No momento tenho roteadores com Fedora 12 e a dica de colocar a linha no /etc/sysctl.conf foi a mais acertada:

    net.ipv6.conf.all.disable_ipv6=1

    Obrigado e fica a dica. Abraços.

    Luciano

  23. Riccardo Permalink →

    Apparently the bonding driver wont load if you disable ipv6.

    Just an FYI :)

  24. Sabalera Permalink →

    No lo consigo :(
    FATAL: Error inserting ipv6 (/lib/modules/2.6.32-042stab079.6/kernel/net/ipv6/ipv6.ko)

  25. stufff Permalink →

    The hacker on my network removed modeprobe .conf so that his malware could use ipv6 to accomplish a denial of service attack. He loaded some program called kioexes, kio_http_cache_cleaner, etc that eliminated my su permissions in terminal, in polkit so that I can’t use yumextender, can’t enter password to authenticate for root functions and loaded the malware in konqueror so that when the web browser is started the programs are memory resident only–they show up under /usr/libexec bug can’t be deleted because they are only memory resident. I will never enable ipv6 ever again, firewalls and other security software do not have features to secure this protocol. And also he used linux mirrors to load his malware during software installation which includex fedora updates unnecessarily one I was able to catch mirror.mit.edu. He loaded software onto my system as if he was a package manager despite having three firewalls, common attacks iptables and antispoofing iptables rules. My last option is to try to stop ipv6 from loading at grub. The ipv6 module is a terrible security risk. My whole nst fedora installation is trashed and I only have a android usb connection because it was the only isp that limits ddos packets and I don’t have to use ethernet cards that are so easily infected.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>